anavem.
Back to Glossary
F

Foothold

A foothold is the initial level of access an attacker gains on a compromised system or network, allowing them to persist, escalate privileges, and move laterally.

What is a foothold in cybersecurity?

In cybersecurity, a foothold refers to the first successful and persistent access an attacker establishes inside a target environment. It is typically achieved after exploiting a vulnerability, stealing credentials, or executing malicious code on an endpoint, server, or cloud resource.

A foothold does not necessarily mean full control. Instead, it represents a beachhead from which attackers can observe the environment, deploy additional tools, and prepare more advanced attack stages.

Why footholds matter

Once a foothold is established, attackers can:

  • Maintain persistence even after reboots
  • Escalate privileges to gain administrative access
  • Move laterally across systems
  • Exfiltrate data or deploy ransomware
  • Bypass security controls over time

From a defender’s perspective, detecting and removing footholds early is critical to stopping full-scale breaches.

Common ways attackers gain a foothold

Typical foothold techniques include:

  • Phishing emails delivering malware or credential theft
  • Exploiting unpatched software vulnerabilities
  • Compromised VPN, RDP, or cloud credentials
  • Malicious browser extensions or trojanized installers
  • Supply chain attacks (tainted updates or dependencies)

In modern attacks, footholds are often designed to be stealthy, avoiding immediate detection.

Examples of footholds

  • A PowerShell backdoor running under a standard user account
  • A scheduled task that launches malware at login
  • A malicious OAuth app granted access to Microsoft 365
  • A web shell uploaded to a vulnerable web server
  • A compromised service account in a cloud environment

Foothold vs persistence

Although closely related, they are not identical:

  • Foothold: the initial access point
  • Persistence: techniques used to keep that access over time

A foothold often evolves into multiple persistence mechanisms once the attacker stabilizes their presence.

How defenders detect footholds

Security teams typically rely on:

  • Endpoint Detection and Response (EDR)
  • Identity and Access Management (IAM) auditing
  • Log correlation (SIEM)
  • Abnormal process and network behavior analysis
  • Privileged access monitoring

Zero Trust architectures aim to limit the impact of footholds by preventing unrestricted lateral movement.

Common mistakes and misconceptions

  • Assuming a single infected machine equals a full breach
  • Focusing only on malware, not identity-based footholds
  • Removing visible malware but leaving persistence artifacts
  • Ignoring cloud and SaaS footholds